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Agenda 


Xbox Linux status Dec 2002 

the 007 hack ("Agent Under Fire’) 
the Ernie & Bert hack (Dashboard) 
the Audio hack (Dashboard) 
MechInstaller 
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Xbox Linux Motivation 





San i ale. ane) am Dazv-lanteckye 
@ Linux for Playstation 2 


@ “The Xbox is a great gaming console”!? 
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Celeron Ill Coppermine 733 
64 MB RAM 

nVidia GeForce 3MX 

10 GB IDE hard disk, IDE DVD 
10/100 Ethernet 
4x USB |.| 7, _— 
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® sophisticated security system 


® custom DVD format 





® accepts only signed executables (XBE) 
@ chain of trust 
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Xbox Linux History 


23 May 2002: founded 

13 Aug 2002: kernel booted 

07 Oct 2002: distro with KDE & Gnome 
17 Dec 2002: Linux bootloader ROM 





Modchips 


Xbox had to be opened 

warranty problem 

modchips were > 30 EUR/USD 

too complicated for many people 
modchips are associated with piracy 
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The 007 hack 
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From: habibi_xbox a 
Date: 30 Mar 2003 — 

Subject : Project B Solved ! a 3 


Ladies and Gentlemen, 
I'm happy to present the first solution found for the Xbox Linux Project B: 
Here is a way to run Xbox Linux on an unmodded, unopened Xbox ! 
Inlcuded is a uuencoded zip file containing all the necessary files. Here is 
what you need: 
a - - You need an unmodded XBOX (not sure it works with modded bios) =e 
Weem—Ssé- - YOU need the game 007 Agent Under Fire (*NOT* NIGHTFIRE, those are two east 
different games!) 
- - You need a way to transfer a save to a memory card (that is, xbox-save.com's 
hardware, or usb<>xbox cable + usb stick + xbox-save software, or you can 
use a standard memory card too if you can put files on it (with EvoX for 
instance). 
- - You need to get the "Xbox Linux Live" small distro. 
Got all this? Let's party! 





The 007 hack 


31 March 2003: First solution for Project B issued _ Habibi_xbox has released a small 
savegame for 007 Agent Under Fire on Xboxhacker (See here for original thread). We 
have now confirmed this savegame can be made to boot the Xbox Linux Live Plugin Distro 
on an unmodified Xbox! Note you can get video working by telnetting to the box, using 


wget -o xbv http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/* checkout*/xbox-linux/xbv/ 
xbv?rev=1.16 

chmod +x xbv 

./xbv -m 0 


We will be building on Habibi_xbox's work and releasing more ways to run Linux on your 
unmodified Xbox. 


This represents the first confirmed success in the Project B competition, which runs until 

December 31st 2003. As it is still not possible to use this exploit purely from HDD or USB 
dongle on an unmodded box (you must use a retail DVD of "007 Agent Under Fire" only), 
we hope this won't be the last great Project B entry we see. 
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About buffer overflows (1) 
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About buffer overflows (2) 


| Usually happens on the stack 


Zol(oMielatertcoyal(eval-lamar-ltal-y) 


BOTTOM 
{ args 
char buffer[20]; 


sprintf(buffer, “Hello %s”, name); gs)lelaameslelelestsss 


oe Molers| aYsclateleliss 
(including buffer) 





function ("this name is too biiiiiiiiiiig”); TOP 
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Buffer overflows for Xbox Linux 


ime: olelai:) meoh'd:] aie) mer-lamel-miglelel:la-xe 
ro) am 1 a1=,4 ele) @mexele(-Mer-lamavlam’ iideleleiar: 
natexeleqal le 

What « badly formed input » can we 
provide ? 

Idea : find game saves with strings in 
datsvon 

sprintf() overflows can be triggered if 
input not properly checked 
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, ~@9 (F 
| Size : from a few bytes to several 
Megabytes 
| ~ 2/3 of them contain strings 
| Problem : can’t be edited (hashed) 
| Hashing done by the game itself so 


— Hash check can be removed from the game 
(MS library function) for development 
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What’s needed then... 
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RBSAVE™1 . DAT 
666016DG: 33 3 
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666016F@: 53 SUdbSbedk#aiiDf m1 
[ 66001100: E3 Oona rysnormas 
Eo 96001116: ES O>GAd [TOKO IAL 
66001126: 63 : 2? 


90001130: ED *R—ye 
00001140: 18 1? * patoneore 
00001150: B3 1fr010a+ Towut 
60001166: FF Tt uid 
90001176: 5@ 6 «Fay 3/166 
00001188: 97 LORTUI7E<?“uxhie > 
@000119@: F3 46 4GHO 4,8 200A i i 
@00011AG: 83 ARIHO 101 Korx Tas 
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@00011D@: 1C .2CO Fi. aIM@iZzPFe? 
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Let’s play... 


Started replacing strings with much 
F:Vae (=) mre) al =x 


~1/3 of games checked at first are 
rede Tdal late! 
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The « Amped » case 
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the game, error display) 

Return address can’t be changed but 
some processor registers can be set 
to any value (but aren’t used...) 


Means the save game idea was good 








The « Frogger » case (1) 





| Just one string 


| Player name: 10 
Os h rs | rs cx C:\ WINDOWS \System32\cmd.exe - hiew *.dat 


FBSAVE2 . DAT | Hiew 6.11 <c>SEN 
obabR0u8: 43 GEOOLBUFFER © 
60000016: 


| sprintf(buffer, “Confirm ga000820: 


load of %s?” ae 
): ronan 
a ane): a 
G80000AG: 

QG0000B8: 


| Can be overflowed | 2": 


GG0000EB: 
GG0000F8: 
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60000120: 
66000130: 


or: 1 ala mm ol-medar-lalel-te root: 
directly 
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The « Frogger » case (2) 


ATi dato) at: mat-(eq @lale mei mmvalelelelamce 
jump to the place we want! 
— jmp [eaxt+10h] where we can control eax 
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Save is always loaded at the same 
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patches and runs a program 
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The « Frogger » case (3) — 








| Hello Tux ! 
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| Problem: Frogger is not released in 
=U] Ke) ol: ame 

| Hacked save is BIOS specific 
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The « 007 » case (1) 


| Basic overflow on a string buffer — 
| Asave game name > 256 bytes 
crashes the Xbox 

return address right after those 256 
bytes 

Better than Frogger: Game exists in 
AN Mer: aCe) 1 Over: Lalo m=>.¢e)(e)i mi (male)! 
BIOS specific 





The « 007 » case (2) 


| Problem: 4 different executables for 4 
olinislacvalmrclarelerele tot 


| For each executable, the save is 
Koy-(o(-toMr-|m-Yo)aal-M-Ji le] alahVme lia) asda elt: (exe 
Tamaveuy 


| But one save is enough: 4 entry points 
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The « 007 » case (3) 





| The shellcode 


— Turns off kernel write protection 
— Replaces Xbox public key 


— Executes a program signed with a 
custom private key (Xbox-Linux loader) 


‘\\ WINDOWS 'System32\,cmd.exe - hiew exploit 


exploit 4+FR GO6G005F a32 — 426 
66880006: E8Baa00008 call 666600665 
66666005: SD pop 3) 
66600006: 81ED@5e00000 ebp,. 666000005 ; 
@88880GC: BFEBBG28CH edi,@C62660080 ; 
66600011: B980190000 ecx, 6666616000 ; 
66000016: 8BO7 eax, Ledil 
66000018: 25@66FFFFFF eax,@FFFFFFQO ; 
6600001D: 6D63800000 eax, 660680063 
66880022: 8907 [edil,eax 
66800024: 810764900000 edi, 666000004 ; 
@@@0002A: 49 ecx 
6600002B: 75E9 666600616 
6660002D: BESBB88086 esi,686680086 ; 
46660032: AD 
66090033: 81EE@3900000 esi, 660680003 
66600039: 3DBDi1B4BA4 cmp eax,GA44BiBBD ; 
GGGG003E: 75F2 jne 960680032 aa > A 
60000040: 8176FFD68BD72D xor d, Lesil[-@0611,G2DD78BD6 ;‘'-i 
66000047: 8D8533610000 lea eax, Lebp ] (666666133 1 
6600004D: 898546610000 moy Cebp 1(466600146 1,eax 
66000053: 8D853B010000 lea eax, Lebp 1(66666013B1 
66800059: 898537610000 mov Cebp 1[6666661371,eax 
GGGG005F: 38545s19000 lea eax, Lebp ](66660614E] 
1 2Pi1BIK 3 SOpadOff 6 Sklat 9 








The « 007 » case (4) 





| Ensure only Xbox-Linux can be run 
using this hack 


| Xbox-Linux Live was signed 


2s ne 





| Obfuscation 








Se: 
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; replace MS RSA key with our own one 
mov esi, 80Q@00000h 

Lodsd 

sub esi,3 

cmp eax ,0a44b1ibbdh 

jnz se 

xor dword [esi-1],@2dd78bd6h 


push Oh 

lea eax, Lebp+xbename | 
push eax 

(oro Mim K-10) 0 > dela nelUlareae 


MAO SD SO4E: 
lea eax, Lebp+filename2 ] 
push eax 


mov ebx,[ds:ebp+IoDeLeteSymbolicLink ] 
call [ebx] 

lea eax, Lebp+fiLename3 | 

push eax 

lea eax, Lebp+fiLenamez2 | 

push eax 

mov ebx,[ds:ebp+IoCreateSymbolicLink ] 
call [ebx] 


; call the xbe! 





xben 


Q000: 
2000: 
0000: 
0000: 
0000: 
0000: 
0000: 
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push Qh 


edi ,Q@800259AFh 
eax, @x42b69f5e 


eax ,0x2579952c 


al ,@A4h 


edi ,Q@800259B3h 
eax ,@x6937bada 


lea eax, Lebp+xbename ] 


push eax 
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; call the xbe! 
db "d:\UDATA\454100@0d\Q@Q@0000000000\1inux.xbe" ,@ 
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old io Ko) ool 
mov edi ,0800259AFh Dae oe 
mov Sarna: ee jmp short slot? 
stosd Le nae slot2: 
mov eax ,0x2579952c bswap edx 
stosd Ira ae jmp short slot1 
mov al ,@A4h 
stosb slot3: 
mov edi ,@800259B3h tA” xor al, cl 
mov eax ,0x693/7bada jmp short slot21 
stosd PL oa 
[ie ecco) 
el ae end evox 2.5 patching -------------- 
push Oh 
lea eax, Lebp+xbename ] 
push eax 
call @x2a4c6 ; call the xbe! 
leXelaelinte db "d:\UDATA\4541000d\QQ@0000000000\ Linux. xbe" ,@ 








@ ff d& ff e@ Q@ 10 4a 46 49 46 OO O1 O1 O1 OO 47 “Y°t..JFIF..... 
@ 00 47 00 OO ff fe 01 O2 ad 53 fe 7d 78 85 Od 16 .G..”...#S.}x... 
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Q000:10bd 
Q000:10cd 
0000: 10dd 
Q000:10e0 








Thank you Agent 007... 
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Subject : Pr 


e Ps | mM Ee : Ladies and Gentlemen, 


I'm happy to present the lution found for the Xbox Linux Proj 


B: 
Here is y to run > Linux on an unmodded, unopened Xbox ! 


is still in the J alo) ok) : af ees 


diff 
- You need a y to tr. 
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Save Game Exploits 


@ Can be used for 
@ Linux from memory card or hard disk 
@ TSOP flashing 

@ Problem: 
® game needs to be started every time 


en BDA Der-Val aloiom o1-m-)(-1e1 kaa! 





DEW alerer-lne 


@ the main program on hard disk 
@ gets run when there is no DVD 


@ drive can be ejected while Dashboard is 
running 
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[Full-Disclosure] When full disclosure is the only way... 


se@nopiracy.de 
Fri, 4 Jul 2003 04:02:43 +0200 


XBOX Security 


-= Security Advisory =- 


Advisory: XBOX Dashboard local vulnerability 
Release Date: 2003/07/04 
Last Modified: 2003/07/04 
| Author: Stefan Esser [ ] 


Application: Microsoft XBOX Dashboard (up to today) 
Severity: A vulnerability within the XBOX Dashboard allows to 
totally compromise the security features of the XBOX. 
Risk: Se eitiead 
Vendor Status: Vendor is not willing to talk about XBOX vulnerabilities. 
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Stefan Esser 





Dashboard Used Files 


Data 
XIE 
lolol aleks 
.WAV 
me) ales) 
Dale 


Custom Soundtracks 
ST.DB 
.WMA files 
Savegames 
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Font Loader Bug 
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ReadFile(handle, &dwBlockSize, 4, &dwNumRead, NULL); 
pBlock = new BYTE [dwBlockSize]; 


*(DWORD*")pBlock = dwBlockSize; 





Overflow if dwBlockSize 0..3 


ReadFile(handle, pBlock + 4, dwBlockSize — 4, &dwNumRead, NULL); 


(een ies Integer Underlow 
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Bug Found — What Now’? 


Several questions 


1. Is the XDK Heap Manager exploitable? 


— analysis of Xbox heap manager 


2. How can we develop an exploit without a debugger? 


— trial and error with custom-made memory dumper 


3. How can we get shellcode into the address space? 
ma aeelalhVa ial celecelamanlerellitstemil(ats 





Heap on Xbox 


motel emexe) alice) miajie)gagt-tileamsvie) core! Colors 


together with data heap control information 


‘allocated memory 


Se 
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Free blocks in doubly-linked 
free lists 
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Xbox Heap: Free Block Header 





SIZE Size of this block in 16 byte units 
PSIZE Size of previous block in 16 byte units 


F Flags 
OO! Fill on free 
ware Last in list? 


FORWARD/BACKWARD 
Next/previous free block of same size in linked list 
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BZ=bwoe Ewa. — e727 > two 


BA>iwa> bw — B72 => bwa 





+0x00 


FWD 


+0x04 





Xbox Heap: Unlink Example 


FWD of fake header points to 
(ol 0] amsyal=)|(exele (om ele liccys 


BWD-FWD = FWD 
(overwrite saved EIP) 


FAKED HEADER 


FWD->BWD = BWD 
(overwrite dummy word) 


BWD of fake header points to 
a saved EIP on stack 


+0x00 


+0x04 


+0x08 


+0x0C 


+0x00 


+0x04 


STACK 
param 1 BWD 
param 2 
Ox550 59000 
JMP $+4 FWD 


- oxpoesco4o Bw 





Returning into Code — How? 


¢ return address on stack? 


am ao ans) t=(0),@r=(0(0|aatotom ome /lIK=1k=) al MLOlMelliCscslalmialests (ers 


oman] ofe)at=vemivlacesice)am ele)iaii-)ars 


* no, pages are write protected 


- entry in x86 IDT? 


* no, is unstable / depends on kernel 


¢ Structured Exception Handler (SEH) chain on stack? 
* yes, topmost SEH handler will get called 





How to get code into address space? 


* modify XBE (append/inject) ? 


sm a0) eLe)=s<)] 0)(- el =1er-| Uy meme (elit-lmcy(elar-elas 


* inject into XIP data files? 


* not possible, dashboard “knows” SHA1 hash 


* inject into WAV audio files? 


* were not found in memory dump 


as) (oles mlamvaceliarslanielalmil(=ie 


- yes, the only known solution (so far) 





(0 F\YP, GE) al) | (exelel= 


1. Find Kernel Base Address 
(Take entry from IDT and scan back until PE header found) 


2. Lookup needed kernel exports (only for LED flashing) 
3. Exchange RSA key (Habibi modulus / exponent: 3) 

4. Play with LED color 

5. Search for XDK xbe execution routine inside Dashboard 


6. Call XDK routine to execute linux.xbe 
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3. Run and check memory/coredump 


Wa m=) 0lot- 1M Ol alilmarar-1emere) alice) mialco)gant-elamismere)accreihy 
overwritten, so that dashboard crashes with a write of 
0) (ololelololololom (eM ep colotoletetelolo) 


5. Simple because everything is aligned 





=> 0)(e))m Oxo) atsjeaulert(elamcsiars)|(ecele(o mie) ale) 
sn @1-7-\(-me)(om(elaim diam (-1e(-me \ ©) mamecy-ie [6(-)alec-m-laremcyar=)|(eele (=) 
2. Dump memory and check where font is loaded 


CO (=)6\-t-UMliAMellii=)c>)almer-s)aleley-lcelcm-lalemellic=ie-)almey-lellale| 
situations 


4. Choose offset in the middle of Big Font to always hit “NOP” 
sequence 


5. Put offset into “overflow font” (2nd offset is topmost SEH 
table address) 
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iceJeere)i| ale me)\-)ar-laleme)-) ar-lel-l 1a) 
* No CMOS battery — losing clock settings 
am DY-1s) a] ofey= 10 Me] (Ole), y= 10] OM Anta Jal6 
mo llicslesvalmerele(omer-lin 
- lost thread race 
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pee nicharsnecr sence &dwBlockSize, 4, &dwNumRead, NULL); 
if (dwBlockSize < MINIMUM_BLOCKSIZE) return (false); 

pBlock = new BYTE [dwBlockSize]; 

*(DWORD*")pBlock = dwBlockSize; 


ReadFile_wrapper(handle, pBlock + 4, dwBlockSize — 4, &dwNumRead, NULL); 
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if (dwBlockSize < MINIMUM_BL' 
pBlock = new BYTE [dwBlockSiz 
*(DWORD*)pBlock = dwBlockSize; 


ReadFile_wrapper(handle, pBlock + 4, dwBlockSize — 4, &dwNumRead, NULL); 





What now? 






@ the bug is severe 


; , ee : - . las - 
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P §6—Okay, you guys... 
We're going to call MicrosoFt, 
dnd Make our demands! 


——_ YOU totally talked ee 
i What? to her, though. That's } 
What happened? pretty cool. _ a 
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Talking to Microsoft 





From: free-x 
Date: 4 Jul 2003 


Dear Public, 
Today is a very said day for Microsoft. 


One month ago, we began an attempt to make contact with Microsoft, we did this because the first 
| software only mod-chip solution was developed and proved working. This solution meant that there was 
no need to open the XBox anymore. 


= The modification only needs to be installed once and all existing XBox consoles are able to be modified to 
use this exploit, only new consoles with an updated Firmware could lock out this exploit. 


After discovering this exploit a Team was formed known as the “Free-X (box)” team. 


Members of this team have made many attempts to initiate discussions with Microsoft by various means 
including: 


1. Contacting certified XBox game developers requesting that they contact Microsoft to facilitate 
discussions about our discoveries. 

2. Contacting major web-based news sources requesting that they contact Microsoft on our behalf. 
3. Direct contact with various Microsoft departments globally. 

4. Direct contact with Authorised XBox distributors globally. 


Speaking of the 
DET nl eyes] xe ie 


@ there is another thing... 





Navel a al=lem By-Kialeley-l ae 
vulnerability 


From: Alex 
Date: 4 Jul 2003 


Ladies and Gentlemen, 
Earlier today the team known as "free-x" released a dashboard exploit 


allowing people to run linux without a modchip using an integer overflow in 
the dashboard font files. 





A trick using the dashboard is way better than the usual 007 trick, because 
you don't need a game (only once, for installation), and you can eject the CD 
without reseting the system. 


Luckily, the XBOX Dashboard is quite buggy, and free-x bug is not the only 
one :-) I will present here another dashboard bug found and exploited 
independently. 


Dashboard Audio Exploit 


After releasing 007 hack, started 
Vola diate Me) am- Mm BY-t-Ja) eley-1ce mm at-[e4. 
meolelateme)at-melel (ey. ¢hy 

Totally different bug than the one by 
Stefan Esser 

| But same interest: no need to boot a 


game anymore, and CD can be 
ejected 








Finding the Audio Exploit — 


in \' Coy} mu BY- TJ a] ofey-| ae Mil (-t-mr- [a> m-JLe [alte mye) 
ver T alam ol-Manlolelli(-ver 

In (oY: Memes al-tey @eca@me\Yaar-liallemil(-\-m mallcore 
can’t be signed 

Bin © 5-5-1 -er- Ta a | oye) ale tm ige)sn mer Bir: lale 
oLUhmaal= Janel am tal: i.4@ ele) 


eYo) ale [ms latel:>.(cxem lam: Mil: 
named ST.DB 








Inside ST.DB 





| Contains lots of strings 

JO) malomelenai-)mel'd:] mile)! mer: lamer: 

da fefel:a-vemelam-lah acl ielale eee 

Oxo) al e-Tlat-mrc-lacoler-mlalccxe(-1e-mmlaleaiereliare 
dats Malelieley:) me) male) el-lemig- lel <e 

My Come: lale(-merat:lel @olamialmaleiulelsia 





Let’s exploit it! 


Tatjte (=i dal: merele(- Mm dal=) a-¥L 
array[number_of_tracks] = value; 
Where both number_of_tracks and 
value come from the ST.DB file 
By putting a well-chosen 
number_of_tracks and value, we can 
write a 32 bit address at any place 
we want in RAM 








WINDOWS '\System32\\cmd.exe - hiew st.db a 


st.db +FR GO008062 a32 ——— 52224 || Hiew 6.11 <c)SEN 

@8008011: 8D35A8991400 lea esi, [80014998 1 
@@000017: 812GFFFFCACA and d.fesil,@CACAFFFF ;™u! 
@@80001D: AD lodsd 
@@088G1E: BFCa981400 mou edi,@001498C0 3" qyL” 
@@000023: FFOF dec d,ledil 
@@000025: FF4Fa4 dec d, Cedi 1(000041 
gaa00e828: 5D pop ebp 

e 98008029: 81ED200190008 sub ebp,000000120 ;" Oo” 
@a00882F: 8D853EG18800 lea eax, Lebp ][G0080013E] 
@@008035: 89854nG10808 mov Lebp 1[000000149 1,eax 
@@00003B: FF75F@ push d, [ebp1[-@0101 
@@00003E: FF1534200100 call d, (6000120341 

eoee 90800044: 8D857AG10000 lea eax, Lebp ][@8800017A 1 

@@00884A: 81GE@G1a00008 or d,lesil,@00001000 ;" >” 


66000056: 56 push eax 
66000051: 56 push eax 
66060052: 6A22 push 422 
66006054: 6AG3 push 663 
66060056: 6AG1 push 661 
66000058: 6A8B push 686 
G6G0005A: 6ABB push 668 
G600005C: 8D858B616000 lea eax, Lebp]1(60660018B1 
66800862: push eax 
2Pa1BIk 3 SOpdoOrt 6 8Slat 9 


| Fora given Dashboard version, ESP is 
always the same when this bug occurs 


Boe lanleke)ar:la)m-xem’ (:mer-lamesar-lale(-manl-maciielan 
address on the stack 


| ~400 bytes of ST.DB are loaded to a 
exo) al-j r= Tal mr: Cele] c-t-t- Oe) mr: e i hVd-1 0m BY-l-Ja) eley-1 ae, 
version) 


Ben's’ (em oll meol mt -Jal-1| (erele(-maal-la= 








About Audio Exploit code 


I Mal-m-dal=i(evele(-me(el-s-m dal -y-| pa(-r-bom aals 
UL OW are) ay: 


SJUh mer: [ale my ol- We) eye l-yer-1tclom lam-ie lea ir: 
funny way because it must be 400 
bytes maximum 

OF ele (=m ole) Cmll (om mma) el r-lellalemial-m,G ele) 4 
key with the 007 one 

=JU) mereye(-Mer-y-t-m-y-] eaaleleliiler-idte)ammr-lare, 
in fact another key is used 





Combining exploits 





® a savegame exploit can run a small Linux 


@ the user can patch the hard disk for a 
DEK a) ofey- xe=>.<>)(e) [5 


@ Linux can be booted without the game, from 
ar inemel(ys< 





=>-40) (eo) ae) MOKY-1a° 


PLUime) pay-umsye mm [akyecli (=) am alsvsvelsve 
ships as a memory card image 
combines MechAssault & Ernie/Bert 


feo) ahY,=) i a= oe DEK ploley-l ae im [aime mim lefolmmaat-lale 
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developed for the xbox-Linux project by 


Edgar "Gimli" Hueck 
Franz "Solder" Lehner 
Jeff "Kernel" Mears 
Michael "Papa" Steil 
Stefan "Exploit" Esser 


and Kermit the Frog 





MvaKevelalbatcieuatcve 


Dashboard Exploit Installer 


Jeff Mears 
asterisk@graces.dricas.com 


Copyright © 2003 Jeff Mears 





Jeff Mears 


Senior at University of California at Irvine 
Graduates June 2004 

Experienced hacker of video games 
Making cheat codes (Action Replay) 


AUeclavitclejarcme)(emex-lentocm com maraicie 
Emulation 
pq ole), an mi alep.exexe)aueaielelarelapa (sven) falciectirs)pmelereyt 
loader algorithm, Xbox kernel information 





What is MechInstaller? (1) 


MechInstaller is a saved game exploit for the 
game MechAssault that installs Stefan’s 
DEValoyey-lnem=>.4e)le)it 


Automated installation process 
Minimal technical expertise needed 


All you need is a way to get save files onto 
the Xbox 


Memory card adaptors for PC 
awsiul=areksmonrece|iilare mcore). 





AVAVA a Fel an Koi Ya (exe! ai darsiechilsl eaneea) 


Regular functionality (except Xbox Live) of 
the Xbox as a game system is preserved 


Dashboard remains, but the “Xbox Live” 
menu option is replaced with “Linux” 
MechInstaller installs a Mini-Linux like 007 
With MechlInstaller installed, Linux 


installation CDs (Xebian) boot directly so a 
oLelgant-larcialarclaremiUl im mialepeerlamelcmiacicii(ce 





we 


q — = ~—~C*~S~S, 
} | MEMORY . a 
| a 






GY sexecr ‘ay 








Why? 


Stefan’s exploit is great, but difficult to use 
ATU hin ole le an 010 yéar-tareme(omnar-lalerclmae)onlanr-varels 
Very tedious; cannot be done en masse 
Difficult to recover from mistakes 

Multiple Dashboard versions 


Stefan’s exploit is most stable with one 
certain version 


Stefan’s exploit completely replaces 
Dashboard, which many users don’t want 





MechInstaller as a Solution 


Difficulty: MechInstaller is fully automated 
and runs with the press of a button 
Recoverability: MechInstaller provides a 
“Restore Dashboard” option 
Also provides emergency Mini-Linux like 
OO7 
Compatibility: MechInstaller replaces the 
user’s existing Dashboard with known version 
regardless of previous version 





Usability 
User loads memory card with hacked save 


Same as the 007 exploit 


When booting MechAssault, the user sees a 3 
0) o) de) ammantcale 


Install Linux: Installs the Stefan exploit 


RX StsiKO) Kom Det al elerciae Ma latcicclimeralaatereliarsre 
Dialeverice 


Emergency Linux: Runs a 007-like mini- 
Bialep 


All options are fully automated 





ie 
Hestore Dashboerd 






Install Linux 
a 





Controls: Normal 
Lifficulty: Regular 


Current Level: Going Down Hard 


Ya Create New BI Back Al Select 





Taksiteuiiiatearems Dy-lalerer-ine 


Installing a particular Dashboard version 
legally - but how? 

Solution: We have Microsoft do it for us. 
Xbox Live games have a copy of the 
DEVJaloyey-lce mom larsitcli Minton Miicm Dy-Cialeley-tne. 


WAVMULYomUaTISM Unicel i Koran (eretsia10] o\e(-tcm dole) miKe)an 
the game DVD to install it 





Why MechAssault? 


Xbox Live game (has dashupdate.xbe) 
Easy and obvious saved game exploit 


GETS rom) olaraiuio menos \ware)amanenals 
filenames 


\V(<Tavan oe) 010) rela lalemr-1-) nom ir are 
Multi-Region (both America and Europe) 
Exploit triggers after selecting save file 


Allows the creation of a little menu by 
nrcWalarcmmanlelial ©) (omc Nore mexelpalomen qo) Le) ies 





How -— The Installer 


Get control of Xbox through exploit 

Hook the XBE loader in the Xbox kernel 
Must hook kernel to hook a new XBE file 

if OTC] (ol ,aa X= ole le lume: laren (er-(omercsialel olereltcmdele 

Kernel calls us right before XBE executes 


(ele) at clae reves iarie-li clecelam lamellae) elerite 
Modify on-screen messages to user 


When we get control again, install hack 


(Co) o\varanliavee Minlepencom Dy-tJe]eler-Icem o-latiulolem-line 
Reboot system and eject the MechAssault disk 





How — The Dashboard 
Exploit 


Get control at startup with Stefan’s exploit 


However, the exploit badly corrupts heap 
(@-Talarolexece)nieralerom (ey-(el | alow Dy-VJaleley-tce! 


When exploit triggers, “Quick Reboot” into the 
Dashboard to reload it, except with a hook installed 
Glare malelanarclinceval aii tesmurcreve)) 


Modity “Xbox Live” text to say “Linux” 
Hook kernel’s “Run XBE” routine 


(Gl ere Mlizarelam Dy-Wialevey-lnemuvclalccmcem aelam- melts. 


Also called when Dashboard tries to run Live (when 
the “Xbox Live” option, now “Linux”, is chosen) 





Dashboard loads 


pos san 
= 
= 
— 
cai ad 


Dashboard crashes 


Our code runs 


patch kernel 


run Dashboard again 








How — XBE Loading 


Our code is called when a disk is inserted 
Any non-game disk will also trigger this 
3 cases 
DVD movie or Xbox game inserted: Load normally 
iTalepqrantcialeme) eyalelemelales(-18 mu mey-(om MlaTep< 
Linux CD/DVD inserted: Boot CD 
How to load Linux? 


Detect Linux CDs from a special marking in the XBE 
header (not secure, but if the XBE were not made by 
us, the signature check would fail later when loading) 
Replace the public key like 007 





Security 


Modifying MechInstaller to install a pirate game 
loader is quite tempting to pirates 
Must prevent modifications like this 
i} om OLOVAaa om t-1 coms Manors olce)alexcremr-l0)0)cey-Le18 
©) o} iver iccmual omer 40) (e)im=)alcdintom (o(e)alem eVaelicitla) 
Sign the XBEs we load with our own key 
Security eventually made useless by hacks 


Phoenix BIOS Loader provided a much better pirate 
solution than MechInstaller, making it obsolete 


ACexol a) alsieeli Colm caora lee Lin Varel f-(@l<cvem com (ey-Comr-la)vaual iar] 





Key Replacement (1) 


Completely replacing the RSA key used to 
sign XBEs with our own would be nice 


Only need to change key to load our XBEs 
— don’t need to delete kernel’s security 
checks 


However, certain parts of the XBE header 
are encrypted directly from the key 


16 bytes (out of 256) used as a simple XOR key 


Changing this XOR is okay on unmodified 
systems. However, because mod chips disable 
this security, this won’t work properly! Linux CDs 
na lUlsien oom ofele lesley (cme) a oleleamiy\ccorn) iaisit-Ui lc) ar-lale manreye, 
chip users. 





Key Replacement (2) 


First idea: Leave RSA modulus alone but set the 
“oublic exponent” to 1 
RSA equivalent of a “null” key: encrypted data equals 
decrypted data. “Signing” is a no-op. 
Works, but very easy to repeat 
007: Change the modulus to a weak one 
Modify parts that don’t affect the header XOR 


Fel com taloman rece 0} (Um inlcomc)iualcimr- lm Olulnalcmalelanleccmmelarla 
easily factored number (the latter was used in 007) 


007’s key factored before exploit was cracked 





Key Replacement (3) 


MechInstaller: Create a “strong” key with the 
same XOR as the original 


Take advantage of the fact that the XOR 
key comes from the middle part of the 
nareye ll (Urs 


The key made this way is not as secure as 
normal RSA-2048 


Much easier to reverse engineer 
o}e)Urrer-lare)amuat-Vamcemr-lelce)mmualica con 





DYow- meal ele 


@ we do obfuscation and RSA key replacement 
@ this technology can possibly be abused 


an al =MnXol0] et= iro) mm bd (=Yelnl lakcie- |(=) am al=ls\e oncom l= 
kept secret! 





Mitel xexxe)imcm asylenlela 


25 Jun 2003: MechAssault exploit 

4 Jul 2003: Dashboard exploits 

|| Aug 2003: MechInstaller released 

|2 Sep 2003: Dashboard update (Xbox Live) 
Nov 2003: fixed versions of MechAssault 





DEW a)oley- xem GO) oleh hn 


Microsoft updates the Dashboard remotely 
without asking 

even if youre not an Xbox Live user 

can't be undone without the old image 

so don’t buy Xbox Live 


and don't enter network settings in the 
DE a) efey-1ne 





Can they just...’ 


@ they say running Linux on the Xbox is illegal 
@ they say the forced update is legal 


@ they say you lose the right to use the old 
version 





Can | just... 











Hacking Status 


aavekiom al=)\'am,4 ole). <-eya| | eve) ane-liaimaar= 
ZU lal=laclo)(smarkyaleyerl ae 


else it is easy to downgrade 


there are a million vulnerable MechAssault 
DA DXswreleiumuat-la> 


and did we mention... 





uals) asi om aale) ace 








